Share this Page

Cyber getting baked into more procurements

By Steve Charles

May 24, 2013

A new but not widely noticed provision in the recent White House Executive Order 13636 will mean a major change in federal procurement. The order, a companion directive accompanying Presidential Policy Directive 21, established a multi-agency work group that has been asking industry and federal agencies how cybersecurity could be made a baseline requirement in all acquisitions.

Not just buys of specific cybersecurity products, but of any items or services that somehow touch critical infrastructure. That’s a broad range of potential acquisitions.

If you sell software, any piece of electronic hardware, or systems integration services to the federal government, you need to know about the so-called DOD-GSA Section 8(e) Working Group. The output of this working group will eventually result in new Federal Acquisition Regulations covering anything with a potential cybersecurity element.

This is no long range effort. The EO, which came out in February, gave the working group 120 days to come up with its recommendations “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration.”

The machinery necessary to get a FAR change implemented won’t produce the intended change overnight. But it’s not too early to start positioning your products in terms of how they support or enhance cybersecurity.

Basically, the administration wants to get as much cybersecurity progress as it can in the absence of legislation from an uncooperative Congress. It can only do so much with industry by fiat. But it can indirectly get more from industry by leveraging authority over federal agencies. Nothing new here, just a new application of advancing cyber policy via the government’s buying power.

Luckily, industry had the chance to weigh in, and presumably the task force is evaluating comments.

The working group has people from Defense, Homeland Security, and GSA. The group’s specific job is to carry out Section 8(e) of White House Executive Order for embedding cybersecurity requirements into all federal acquisition planning and procurement processes.

Is it feasible to incorporate cybersecurity standards into federal buys in the first place?

What are commercial procurement practices when it comes to cyber?

Would acquisitions containing specific cybersecurity requirements conflict with existing laws, regulations, or even common practices? If so, what should we do about it?

Comments have closed, but it’s not too late to become involved. At the least, read the executive order, especially Sections 7 and 8. Make sure it gets top management attention, especially if your company is headquartered outside of the Washington region where they might not be in tune with uniquely federal dynamics.

The questions are extensive, and probably no single individual can answer all of them. But since industry is helping prepare a dish companies will eventually be served, here are some things to keep in mind:

Understand that in seeking this public input, the working group defines cybersecurity rather widely, to include supply chain risk management and software assurance. Think about where your company would have potential responsibility. In PPD-21 and in the executive order, the White House is merging federal activities to deal with cyber and physical critical infrastructure threats.

Form a team to stay abreast of what the working group comes up with. There will be further chances to comment once its recommendations become actual proposed new rules, subject to the standard rule-making process.

From a sales standpoint, it’s time to start role-playing your approach. Ask yourself how you’d position your products in solicitations where cybersecurity and critical infrastructure protection warranties are included as boilerplate. For example:

Pre-solicitation, how will your sales messages raise the bar objectively so solicitations are reflecting the latest cybersecurity capability?

Long-term, what role will your company play in helping set the standards and best practices of today, and keep them evolving in the months, years, and decades to come?

We think it’s vital to future sales that marketers of any product with electronic hardware and software take an active role in shaping whatever cyber-related FAR changes emerge.

Apathy could result in industry becoming saddled with the burden and liability for cybersecurity. Or it could inadvertently freeze standards in contracting language while the real threat morphs at light speed.

Clearly we need to get this regulatory framework right, particularly those of us in the world of commercial-off-the-shelf IT.

About the Author

For the past two decades Mr. Charles has helped hundreds of technology manufacturers succeed in the government marketplace. His breadth and depth of expertise on every dimension of the government technology ecosystem provide technology manufacturers with a strategy and clear focus for the greatest success. Mr. Charles is adept at mapping technology product lifecycles and revenue models with appropriate channel and contract vehicle strategies in light of current procurement law, regulations and policy. He receives glowing reviews from the training workshops he facilitates to help sales teams understand the sales tactics needed to address each step in the government acquisition process. Mr. Charles is actively involved in government-industry associations including TechAmerica, ACT-IAC, Coalition for Government Procurement, and the National Contract Management Association. He meets regularly with leaders in government and industry to increase understanding and positive action. Mr. Charles co-authored The Inside Guide to the Federal IT Market, a how-to book for technology companies selling to the government. He is regular contributor to Washington Technology.

Reader Comments

Tue, Jun 4, 2013

Based on the Monday May 13th entry in the Federal Register (27967 first column lines 13 and 14) comments close on June 12th, 2013. Perhaps there was an update that we missed?

Tue, May 28, 2013
Bill Caelli
Australia

Wow - "C2 by '92" again?? Perhaps everyone should read the introduction and preface to the original "Orange Book" or TCSEC of 1983, then 1985 - yes 30 years ago. The problem wasn't definition of requirements - it was making such acquisition COMPULSORY! and REALLY mandatory under REAL penalties to procuring officers who just ignored the specs or claimed "oops - budgetary considerations!"

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.

Do you have a password?

Trending

In an exclusive for WT Insider members, we are collecting all of the contract awards we cover into a database that you can sort by contractor, agency, value and other parameters. You can also download it into a spreadsheet.
Read More